Cisco: NAT Contoh Allowing Internal Users to Access the Internet

From OnnoWiki
Jump to navigation Jump to search
Cisco-nat1-contoh.jpeg

Dalam contoh ini, anda ingin NAT mengizinkan perangkat tertentu (31 pertama dari setiap subnet) dari inside untuk memulai komunikasi dengan perangkat di outside dengan men-translate alamat yang tidak valid ke alamat yang valid atau kumpulan alamat. Kumpulan telah didefinisikan sebagai range alamat 172.16.10.1 hingga 172.16.10.63.

CATATAN NAT GNS3: Catatan NAT GNS3 menggunakan IP 192.168.122.x, dengan IP NAT inside 192.168.122.1


Sekarang anda siap untuk mengkonfigurasi NAT. Untuk mencapai apa yang didefinisikan di atas, gunakan dynamic NAT. Dengan dynamic NAT, translation tabel pada router awalnya kosong dan akan terisi begitu lalu lintas yang perlu di-translate melewati router. Berbeda dengan static NAT, di mana translate dikonfigurasikan secara statis dan ditempatkan di translation tabel tanpa memerlukan lalu lintas apa pun.

Dalam contoh ini, Anda dapat mengonfigurasi NAT untuk menerjemahkan setiap perangkat di dalam ke alamat unik yang valid, atau menerjemahkan masing-masing perangkat di dalam ke alamat yang sama. Metode kedua ini dikenal sebagai overloading. Contoh cara mengkonfigurasi setiap metode diberikan di sini.

Router NAT no-overload

enable
configure terminal

interface ethernet 1/0
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 no shutdown
!--- Defines Ethernet 1/0 with an IP address and as a NAT inside interface.

interface ethernet 1/1
 ip address 10.10.20.1 255.255.255.0
 ip nat inside
 no shutdown
!--- Defines Ethernet 1/1 with an IP address and as a NAT inside interface.
! 
! dhcp IP
interface FastEthernet 0/0
 ip address dhcp
 ip dhcp client request
 ip nat outside
 no shutdown
!--- Defines FastEthernet 0/0 with an IP address and as a NAT outside interface.

!
! atau multiple IP address
interface FastEthernet 0/0
 ip address 192.168.122.100 255.255.255.0
 ip address 192.168.122.101 255.255.255.0 secondary
 ip address 192.168.122.102 255.255.255.0 secondary
 ip nat outside
 no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.122.1
!--- Defines FastEthernet 0/0 with an IP address and as a NAT outside interface.


! ip nat pool no-overload 172.16.10.1 172.16.10.63 prefix 24
!--- Defines a NAT pool named no-overload with a range of addresses
!--- 172.16.10.1 - 172.16.10.63.
!--- cek FastEthernet ip address dengan "show interfaces"
ip nat pool no-overload 192.168.122.232 192.168.122.232 prefix 24
!--- Defines a NAT pool named no-overload with a range of addresses
!--- 192.168.122.100 - 192.168.122.102
! atau
!
!--- cek FastEthernet ip address dengan "show interfaces"
ip nat pool no-overload 192.168.122.100 192.168.122.102 prefix 24
!--- Defines a NAT pool named no-overload with a range of addresses
!--- 192.168.122.100 - 192.168.122.120.


ip nat inside source list 7 pool no-overload 
!--- Indicates that any packets received on the inside interface that
!--- are permitted by access-list 7 has
!--- the source address translated to an address out of the
!--- NAT pool "no-overload".
access-list 7 permit 10.10.10.0 0.0.0.31
access-list 7 permit 10.10.20.0 0.0.0.31
!--- Access-list 7 permits packets with source addresses ranging from
!--- 10.10.10.0 through 10.10.10.31 and 10.10.20.0 through 10.10.20.31.

Router overloading

interface Ethernet1/0
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 no shutdown
!--- Defines Ethernet 0 with an IP address and as a NAT inside interface.

interface Ethernet1/1
 ip address 10.10.20.1 255.255.255.0
 ip nat inside
 no shutdown
!--- Defines Ethernet 1 with an IP address and as a NAT inside interface.

! interface serial 0
!  ip address 172.16.10.64 255.255.255.0
!  ip nat outside 
!--- Defines serial 0 with an IP address and as a NAT outside interface.
interface FastEthernet0/0
! ip address 172.16.10.64 255.255.255.0
 ip address dhcp
 ip dhcp client request
 ip nat outside 
 no shutdown
!--- Defines serial 0 with an IP address and as a NAT outside interface.
!-- cek FastEthernet ip address dengan "show interfaces"
!-- misalnya 192.168.122.176/24
ip nat pool ovrld 192.168.122.176 192.168.122.176 prefix 24
!--- Defines a NAT pool named ovrld with a range of a single IP
!--- address, 172.16.10.1.
ip nat inside source list 7 pool ovrld overload
!--- Indicates that any packets received on the inside interface that
!--- are permitted by access-list 7 has the source address
!--- translated to an address out of the NAT pool named ovrld.
!--- Translations are overloaded, which allows multiple inside
!--- devices to be translated to the same valid IP address. 
access-list 7 permit 10.10.10.0 0.0.0.31
access-list 7 permit 10.10.20.0 0.0.0.31
!--- Access-list 7 permits packets with source addresses ranging from
!--- 10.10.10.0 through 10.10.10.31 and 10.10.20.0 through 10.10.20.31.


Catatan dalam konfigurasi kedua di atas, pool NAT "ovrld" hanya memiliki kisaran satu alamat. Kata kunci overload yang digunakan dalam ip nat inside source list 7 pool ovrld overload memungkinkan NAT untuk menerjemahkan beberapa perangkat di dalam ke satu alamat di pool.

Variasi lain dari perintah ini adalah ip nat inside source list 7 interface serial 0 overload, yang mengkonfigurasi NAT untuk overload pada alamat yang ditugaskan ke antarmuka serial 0.

Ketika overload dikonfigurasi, router menyimpan informasi yang cukup dari protokol tingkat yang lebih tinggi (misalnya, nomor port TCP atau UDP) untuk menerjemahkan alamat global kembali ke alamat lokal yang benar.

Pranala Menarik